Small fixes june 2020 (#857)
* issue 849 * another integration test for a challenge * fixing issue 848 * updated link for issue 833 * fix for 847
This commit is contained in:
		| @ -70,4 +70,45 @@ public class ChallengeTest extends IntegrationTest { | ||||
|         assertTrue(capturefFlags.contains("Admin lost password")); | ||||
|     } | ||||
| 	 | ||||
| 	@Test | ||||
|     public void testChallenge5() { | ||||
|     	startLesson("Challenge5");       | ||||
|     	 | ||||
|     	Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("username_login", "Larry"); | ||||
|         params.put("password_login", "1' or '1'='1"); | ||||
|         | ||||
|         String result =  | ||||
|         		RestAssured.given() | ||||
|                 .when() | ||||
|                 .relaxedHTTPSValidation() | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .formParams(params) | ||||
|                 .post(url("/WebGoat/challenge/5")) | ||||
|                 .then() | ||||
|                 .statusCode(200) | ||||
|                 .extract().asString(); | ||||
|          | ||||
|         String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42); | ||||
|     	params.clear(); | ||||
|        	params.put("flag", flag); | ||||
|         checkAssignment(url("/WebGoat/challenge/flag"), params, true); | ||||
|           | ||||
|    | ||||
|         checkResults("/challenge/5");       | ||||
|          | ||||
|         List<String> capturefFlags =  | ||||
|         		RestAssured.given() | ||||
|                 .when() | ||||
|                 .relaxedHTTPSValidation() | ||||
|                 .cookie("JSESSIONID", getWebGoatCookie()) | ||||
|                 .get(url("/WebGoat/scoreboard-data")) | ||||
|                 .then() | ||||
|                 .statusCode(200) | ||||
|                 .extract().jsonPath() | ||||
|                 .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured"); | ||||
|         assertTrue(capturefFlags.contains("Without password")); | ||||
|     } | ||||
|      | ||||
| } | ||||
|  | ||||
| @ -0,0 +1,30 @@ | ||||
| package org.owasp.webgoat; | ||||
|  | ||||
| import java.io.IOException; | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| import org.junit.jupiter.api.Test; | ||||
|  | ||||
| public class SSRFTest extends IntegrationTest { | ||||
|      | ||||
|     @Test | ||||
|     public void runTests() throws IOException { | ||||
|         startLesson("SSRF"); | ||||
|          | ||||
|         Map<String, Object> params = new HashMap<>(); | ||||
|         params.clear(); | ||||
|         params.put("url", "images/jerry.png"); | ||||
|          | ||||
|         checkAssignment(url("/WebGoat/SSRF/task1"),params,true); | ||||
|         params.clear(); | ||||
|         params.put("url", "http://ifconfig.pro"); | ||||
|          | ||||
|         checkAssignment(url("/WebGoat/SSRF/task2"),params,true); | ||||
|          | ||||
|         checkResults("/SSRF/"); | ||||
|      | ||||
|     } | ||||
|      | ||||
|      | ||||
| } | ||||
| @ -13,7 +13,7 @@ For these hashes it is possible to change the payload in such a way that it stil | ||||
| == Salted Hashes | ||||
|  | ||||
| Plain passwords should obviously not be stored in a database. And the same goes for plain hashes. | ||||
| The https://owasp.org/www-project-cheat-sheets/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely. | ||||
| The https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely. | ||||
|  | ||||
| == Assignment | ||||
|  | ||||
|  | ||||
| @ -11,26 +11,26 @@ To make a long answer short: this is *not* a valid protection against CSRF. | ||||
| One example why this protection is not enough can be found https://bugs.chromium.org/p/chromium/issues/detail?id=490015[here]. | ||||
| Turns out `Navigator.sendBeacon()` was allowed to send POST request with an arbitrary content-type. | ||||
|  | ||||
| [qoute, developer.mozilla.org] | ||||
| [quote, 'developer.mozilla.org'] | ||||
| ____ | ||||
| The navigator.sendBeacon() method can be used to asynchronously transfer a small amount of | ||||
| data over HTTP to a web server. This method addresses the needs of analytics and diagnostics | ||||
| code that typically attempts to send data to a web server prior to the unloading of the | ||||
| document. Sending the data any sooner may result in a missed opportunity to gather data..." | ||||
| document. Sending the data any sooner may result in a missed opportunity to gather data... | ||||
| ____ | ||||
|  | ||||
| {nbsp} + | ||||
| For example: | ||||
|  | ||||
| [source] | ||||
| ---- | ||||
| -- | ||||
| function postBeacon() { | ||||
|     var data= new Blob([JSON.stringify({"author" :"WebGoat"})], {type : 'application/json'}); | ||||
|     navigator.sendBeacon("http://localhost:8083", data) | ||||
| } | ||||
| ---- | ||||
| -- | ||||
|  | ||||
| [quote, Eduardo Vela] | ||||
| [quote, 'Eduardo Vela'] | ||||
| ____ | ||||
| I think Content-Type restrictions are useful for websites that are accidentally safe against CSRF. They are not meant to be, but they are because they happen to only accept XML or JSON payloads. | ||||
|  | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| {nbsp} + | ||||
| == Examples | ||||
|  | ||||
| ==== Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user: | ||||
| Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user: | ||||
|  | ||||
| * `+Smith’ OR '1' = '1+` + | ||||
| results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table | ||||
|  | ||||
| @ -15,7 +15,7 @@ | ||||
|                   action="/WebGoat/SSRF/task1"> | ||||
|                 <table> | ||||
|                     <tr> | ||||
|                         <input type="hidden" id="url" name="url" value="images/tom.png"/> | ||||
|                         <td><input type="hidden" id="url" name="url" value="images/tom.png"/></td> | ||||
|  | ||||
|                         <td><input | ||||
|                                 name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td> | ||||
| @ -37,10 +37,10 @@ | ||||
|                   action="/WebGoat/SSRF/task2"> | ||||
|                 <table> | ||||
|                     <tr> | ||||
|                         <input type="hidden" id="url" name="url" value="images/cat.png"/> | ||||
|                         <td><input type="hidden" id="url" name="url" value="images/cat.png"/></td> | ||||
|  | ||||
|                         <td><input | ||||
|                                 name="Run Ifconfig" value="Run Ifconfig" type="SUBMIT"/></td> | ||||
|                                 name="try this" value="try this" type="SUBMIT"/></td> | ||||
|                         <td></td> | ||||
|                     </tr> | ||||
|                 </table> | ||||
|  | ||||
| @ -1,12 +1,13 @@ | ||||
|  | ||||
| == Concept | ||||
| In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. | ||||
| In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to. And, by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed. | ||||
|  | ||||
| == Goals | ||||
| * The user will need to modify the URL. | ||||
| In the exercises on the next pages, you need to examine what the browser sends to the server and how you can adjust the request to get other things from the server. | ||||
|  | ||||
| == SSRF How-To | ||||
| * https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF | ||||
|  | ||||
| == A New Era of SSRF by Orange Tsai | ||||
| * https://www.youtube.com/watch?v=D1S-G8rJrEk | ||||
|  | ||||
| video::D1S-G8rJrEk[youtube, height=480, width=100%] | ||||
|  | ||||
| @ -1,2 +1,2 @@ | ||||
| === Change the URL to display Jerry  | ||||
|  | ||||
| === Find and modify the request to display Jerry  | ||||
| lick the button and figure out what happened. | ||||
|  | ||||
| @ -1,2 +1,2 @@ | ||||
| === Change the URL to display the Interface Configuration with ifconfig.pro | ||||
|  | ||||
| === Change the request so the server gets information from http://ifconfig.pro | ||||
| Click the button and figure out what happened. | ||||
|  | ||||
| @ -4,41 +4,23 @@ | ||||
|  | ||||
|     <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" /> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content0.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content1.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content1a.adoc"></div> | ||||
| 	</div> | ||||
|  | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content2.adoc"></div> | ||||
| 		<div class="attack-container"> | ||||
| 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
| 			<div id="lessonContent"> | ||||
|                 <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
|                 <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> | ||||
|                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> | ||||
|         			<table> | ||||
| 						<tr> | ||||
| 							<td>Clicking go will execute a jquery-ui close dialog:</td> | ||||
| @ -67,9 +49,6 @@ | ||||
| 		<div class="attack-container"> | ||||
| 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
| 			<div id="lessonContent"> | ||||
|                 <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
|                 <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> | ||||
|                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> | ||||
|         			<table> | ||||
| 						<tr> | ||||
| 							<td>Clicking go will execute a jquery-ui close dialog:</td> | ||||
| @ -95,53 +74,29 @@ | ||||
|  | ||||
| 		</div> | ||||
| 	</div> | ||||
|  | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content3.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content4.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content4a.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content4b.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content4c.adoc"></div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div> | ||||
| 	</div> | ||||
| 	 | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div> | ||||
| 		<div class="attack-container"> | ||||
| 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
| 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
|             <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> | ||||
|             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> | ||||
| 			<form class="attack-form" accept-charset="UNKNOWN" | ||||
| 				method="POST" name="form" | ||||
| 				action="/WebGoat/VulnerableComponents/attack1"> | ||||
| @ -165,9 +120,6 @@ | ||||
| 		</div> | ||||
| 	</div> | ||||
| 	<div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
| 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
| 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:VulnerableComponents_content6.adoc"></div> | ||||
| 	</div> | ||||
| 	 | ||||
|  | ||||
| @ -10,8 +10,6 @@ | ||||
|  | ||||
| * It's really difficult to keep components up to date | ||||
|   | ||||
| ==== | ||||
|  | ||||
| For the components analyzed in 25,000 applications it was found that: | ||||
|  | ||||
| *  8% of  2 year old components did not have a newer version | ||||
|  | ||||
| @ -35,7 +35,7 @@ JSON parse error: Unexpected character '{' (code 123) in prolog; expected | ||||
|  | ||||
| This error message appears because we are still sending a json message towards the endpoint, so if we intercept and change change the json message to a xml message: | ||||
|  | ||||
| [souce] | ||||
| [source] | ||||
| ---- | ||||
| POST http://localhost:8080/WebGoat/xxe/content-type HTTP/1.1 | ||||
| Content-Type: application/xml | ||||
|  | ||||
| @ -20,6 +20,6 @@ xif.setProperty(XMLInputFactory.SUPPORT_DTD, true); | ||||
| For more information about configuration, see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[XXE prevention sheet] | ||||
|  | ||||
|  | ||||
| ==== Validate | ||||
| === Validate | ||||
|  | ||||
| Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle the incoming request. If the client specifies a proper accept header return with a `406/Not Acceptable. | ||||
		Reference in New Issue
	
	Block a user